Today involving data processors for processing personal data and outsourcing of business processes is a necessity for companies of practically any size and in any industry. Companies should therefore be aware of new rules, duties and risks imposed by the GDPR.
1. Commissioned Data Processing
Art. 28 GDPR and Art. 29 GDPR govern commissioned data processing. These provisions continue the concept of involving data processors as initially introduced by Art. 17(2) and (3) Data Protection Directive [PDF] and its implementation into German data protection law – Section 11 German Data Protection Act (BDSG).
For data controllers it is vital to carefully select and control data processors in regard to implemented technical and organisational measures to ensure data protection compliance. In case data controllers already have sufficient procedures in place for such selection and control, the GDPR does not provide for major changes. This is, however, not too often the case. More often than not, selecting and controlling data processors is merely carried out by paper-based assessment – if at all. In such cases, adjusting or implementing respective procedures is strongly suggested.
Further essential requirement for assigning data processors is implementing a data processing agreement. Under Art. 28(3) GDPR the data processing will continue to be „governed by a contract“. As alternative means, data controller may assign data processors under the GDPR on the basis of “[an]other legal act under Union or Member State law, that is binding on the processor with regard to the controller”.
Art. 28(2) GDPR contains required minimum wording for the data processing agreement and insofar corresponds with the current requirement under Section 11(2) BDSG. Such minimum wording contains in particular:
- subject-matter and duration of the data processing
- nature and purpose of the data processing
- types of personal data
- categories of data subjects
- obligations and rights of the data controller
Different from the current German legal framework, under Art. 28(9) GDPR, it will be possible to execute the commissioned data processing agreement in electronic form as stipulated under Section 126a German Civil Code (BGB) in addition to written form as stipulated under Section 126 BGB.
Data processors‘ rights and obligation will increasingly be regulated in the GDPR directly as opposed to the current concept under Art. 17(2) and (3) Data Protection Directive [PDF] and Section 11 BDSG where the data processing agreement is the main or only source in this respect.
The German legislator has implemented a detailed concept in order to making data processors subject to rather strict obligations including, inter alia, the data controllers‘ audit rights and rights to issue instructions. Today data processors often refrain from providing data processing agreements in order to avoid this audit and instruction regime. Such avoiding strategies will be less successful under the GDPR, if at all.
The data processor’s right to assign sub-processors is a frequent aspect of discussion when negotiating commissioned data processing agreements. In particular in respect to massive-user services in the field of hosting or „Software as a Service“ (SaaS). Under the GDPR, there is a real chance that such discussions will vanish, because Art. 28(2) GDPR contains the data processor’s obligation to collect the data controller’s consent for assigning sub-processors. The only alternative being agreeing on a general permission for assigning sub-processors. In the latter case, the data processor must inform the data controller in any case of involving a new sub-processor and the data controller would be permitted to object to the individual assignment. For massive-user services such as Office 365 and Amazon Web with a large number of sub-processors, this will be a real challenge.
There is a number of additional data processors‘ obligations that will follow from the law directly, rather than from the data processing agreement only, such as the data processor’s incident notification obligations under Art. 28(3) GDPR and the obligation to follow the data controller’s instruction under Art. 29 GDPR.
2. Processing Special Categories of Personal Data
There are strict requirements for processing special categories of personal data as defined in Art. 9(1) GDPR. Special categories of personal data are data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for the purpose of uniquely identifying, data concerning health or a person’s sex life or sexual orientation. Such sensitive data may be subject to data processing in many IT systems including in particular IT systems used for the processing of HR data.
There are opinions in legal literature arguing that assigning data processors for processing sensitive data would trigger the requirement of a statutory justification and would hence be subject to the strict regime of Art. 9(2) GDPR. I do not share this opinion, and rather hold that data controllers are permitted to assign data processors where the requirements of Art. 28 GDPR are fulfilled – in particular where data processors have implemented sufficient technical and organisational measures and are subject to (contractual) obligations as stipulated in Art. 28(3) GDPR.
Decisive for affected companies is, however, the data protection authorities’ and the courts’ opinion in this respect. Until this matter of interpreting the GDPR is solved, it is strictly recommended to consider extra carefully whether or not to outsource any processing of sensitive data.
3. Joint Responsibility and Liability
Art. 82 GDPR further develops the law of compensation for data protection in a radical manner and seriously increases it for both data controllers and data processors. Under the GDPR, they will be jointly liable for both material and non-material damages. This was subject of part 2 of this series.
4. International Data Transfer
Assigning data processors in or transferring personal data (below jointly referred to as data transfer) to third countries outside the European Economic Community (EEC) triggers strict requirements under data protection law. As a matter of principle, European data protection law considers data recipients in third countries as not providing appropriate data protection safeguards. The data controller must compensate for this lack of appropriate data protection when assigning data processors in or transferring personal data to third countries.
Data transfers to third countries require a two-step justification. On the first-step, the data controller must comply with the requirement to implement a data protection justification under Art. 6 GDPR, Art. 9 GDPR or in the case of a commissioned data processing Art. 28 GDPR. On the second-step, the data controller must comply with the requirements under Art. 44 GDPR et. seq. to implement appropriate data protection safeguards.
There are three means to implement appropriate data protection safeguards on the second step:
- adequacy decision under Art. 45(1) GDPR
- individually approved data protection safeguards under Art. 46(3) GDPR
- generally approved data protection safeguards under Art. 46(2) GDPR
4.1. Adequacy Decision
The European Commission may assess and decide whether or not a third country provides for an adequate level of data protection according to the process stipulated in Art. 45(3) GDPR. In case the European Commission issues such adequacy decision, the transfer of personal data to data recipients located in such third countries is justified on the second step.
On the basis of Art. 25(6) Data Protection Directive [PDF] (being substantially similar to Art. 45(1) GDPR), the European Commission has taken adequacy decisions regarding the following countries: Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, USA (for data recipients under the EU-US Privacy Shield regime; in this respect and in respect to associated data protection risks see my blog article as of 12 February 2016).
4.2. Appropriate Data Protection Safeguards at the Data Recipient’s End
In case there is no adequacy decision of the European Commission, the data controller must ensure having in place appropriate data protection safeguards for the individual data transfer (Art. 46(1) GDPR). Such safeguards can be individually agreed in the relation of data controller and data processor. As under the current rules, such clauses (referred to as ad hoc clauses) require individual approval of the data protection authority. Justifying international data transfers on the basis of ad hoc clauses has little relevance today. This is not expected to change under the GDPR.
The following means of implementing appropriate data protection safeguards under Art. 46(2) GDPR are likely to have more relevance under the GDPR:
- binding corporate rules under Art. 47 GDPR
- standard data protection clauses under Art. 46(2)(c) and (d) GDPR
- approved codes of conduct under Art. 40 GDPR
- data controller’s certification under Art. 42 GDPR
Binding corporate rules are multilateral agreements for data transfers within an international groups of companies that are approved by the competent data protection authority. Implementing binding corporate rules requires a rather high initial effort on the one hand and on the other hand provides increased flexibility as compared to standard data protection clauses. They are the measure of choice for bigger groups of companies intending to cover various data transfers.
Standard data protection clauses are bilateral agreements between individual data controllers and data recipients. Under Art. 46(2)(c) and (d) GDPR and Art. 93(3) GDPR, standard data protection clauses are implemented or approved by the European Commission as stipulated in Regulation EC No. 182/2011 [PDF]. The standard data protection clauses’ wording is provided in detail and amendments are permitted in very limited cases only – in particular to describe the individual data transfer. Further amending the wording may turn standard data protection clauses into ad hoc clauses and trigger the requirement for individual approval by the data protection authority. Standard data protection clauses cause little initial implementation effort, but may only to a very limited degree be tailored to the individual requirements. Accordingly, they are handy as a second-step justification for individual data transfers or as a first step towards implementing binding corporate rules.
Approved codes of conduct enable associations and other bodies representing categories of data controllers and data processors to implement binding rules for their members in respect to handling personal data. Where codes of conduct are compliant with the requirements under Art. 40(2) GDPR and approved by the competent data protection authority, they provide for adequate data protection at the data recipient’s end and may serve as a second-step justification. Approved codes of conduct are a new regime based on the concept of self-regulation. It provides the different industries with the opportunity to introduce tailor-made individual concepts. Also it causes limited implementation efforts for both data controllers and data recipients. Whether or not this regime will turn relevant under the GDPR will largely depend on the efforts of associations to implement respective regulations.
Data controllers’ certification under Art. 42 GDPR is another mechanism for implementing a second-step justification for international data transfers. Data recipients may use certification to legitimize a possibly large number of data transfers from data controllers located within the EEC. This approach is in particular prudent for service providers having a large number of EEC based customers. Now it’s the Member States’ turn to implement a certification infrastructure and certification bodies.
The GDPR further develops the Data Protection Directive’s regime in regard to assigning data processors. For such assignment, the data controllers must ensure in particular that the requirements of Art. 28(3) GDPR regarding the agreement governing the data processing are fulfilled. Affected companies shall further carefully monitor the evolution of data protection authorities’ opinions in regard to assigning the processing of sensitive data to data processors; in particular whether the data protection authorities (and ultimately the courts) would require a justification under Art. 6 GDPR or Art. 9 GDPR.
For international data transfers, the currently available safeguards, in particular the standard data protection clauses and binding corporate rules, will remain available under the GDPR. In the cause of general data protection compliance assessments, affected companies shall ensure having in place appropriate second-step justifications on this basis. With regard to the new justification mechanisms of approved codes of conduct and data recipient’s certification, the respective framework needs to be in place before it may be applied in any concept for international data transfer justification.
Also available in this series:
Part 1: EU Data Protection Regulation – New Series
Part 2: Fines, Penalties and Damages for Data Protection Infringements
Part 3: Principles, Consent and Statutory Justifications